RubyGems - s3-secure - Versions diffs - 0.3.0 → 0.5.1 - Mend

s3-secure 0.3.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -0
data/LICENSE.txt +201 -22
data/README.md +134 -16
data/lib/s3_secure.rb +3 -2
data/lib/s3_secure/abstract_base.rb +2 -1
data/lib/s3_secure/access_logs.rb +32 -0
data/lib/s3_secure/access_logs/base.rb +4 -0
data/lib/s3_secure/access_logs/disable.rb +37 -0
data/lib/s3_secure/access_logs/enable.rb +41 -0
data/lib/s3_secure/access_logs/list.rb +25 -0
data/lib/s3_secure/access_logs/show.rb +89 -0
data/lib/s3_secure/aws_services.rb +1 -30
data/lib/s3_secure/aws_services/s3.rb +54 -0
data/lib/s3_secure/cli.rb +27 -1
data/lib/s3_secure/command.rb +7 -0
data/lib/s3_secure/encryption.rb +4 -0
data/lib/s3_secure/encryption/disable.rb +5 -9
data/lib/s3_secure/encryption/enable.rb +5 -11
data/lib/s3_secure/encryption/list.rb +12 -16
data/lib/s3_secure/encryption/show.rb +14 -9
data/lib/s3_secure/help/batch.md +14 -0
data/lib/s3_secure/help/encryption/disable.md +5 -0
data/lib/s3_secure/help/encryption/enable.md +6 -0
data/lib/s3_secure/help/encryption/list.md +5 -0
data/lib/s3_secure/help/lifecycle/add.md +13 -0
data/lib/s3_secure/help/lifecycle/list.md +22 -0
data/lib/s3_secure/help/lifecycle/remove.md +5 -0
data/lib/s3_secure/help/lifecycle/show.md +13 -0
data/lib/s3_secure/help/policy/enforce_ssl.md +34 -0
data/lib/s3_secure/help/policy/list.md +5 -0
data/lib/s3_secure/help/policy/unforce_ssl.md +61 -0
data/lib/s3_secure/help/summary.md +22 -0
data/lib/s3_secure/lifecycle.rb +33 -0
data/lib/s3_secure/lifecycle/add.rb +33 -0
data/lib/s3_secure/lifecycle/base.rb +5 -0
data/lib/s3_secure/lifecycle/builder.rb +47 -0
data/lib/s3_secure/lifecycle/list.rb +24 -0
data/lib/s3_secure/lifecycle/remove.rb +28 -0
data/lib/s3_secure/lifecycle/show.rb +40 -0
data/lib/s3_secure/policy.rb +4 -0
data/lib/s3_secure/policy/enforce.rb +6 -10
data/lib/s3_secure/policy/list.rb +13 -17
data/lib/s3_secure/policy/show.rb +11 -10
data/lib/s3_secure/policy/unforce.rb +7 -10
data/lib/s3_secure/remediate_all.rb +12 -0
data/lib/s3_secure/say.rb +7 -0
data/lib/s3_secure/summary.rb +13 -0
data/lib/s3_secure/summary/item.rb +16 -0
data/lib/s3_secure/summary/items.rb +65 -0
data/lib/s3_secure/table.rb +18 -0
data/lib/s3_secure/version.rb +1 -1
data/lib/s3_secure/versioning.rb +31 -0
data/lib/s3_secure/versioning/base.rb +4 -0
data/lib/s3_secure/versioning/disable.rb +19 -0
data/lib/s3_secure/versioning/enable.rb +19 -0
data/lib/s3_secure/versioning/list.rb +24 -0
data/lib/s3_secure/versioning/show.rb +27 -0
data/s3-secure.gemspec +5 -2
data/spec/lib/lifecycle/builder_spec.rb +85 -0
metadata +72 -5
data/lib/s3_secure/help/hello.md +0 -5

data/lib/s3_secure/lifecycle/remove.rb ADDED

@@ -0,0 +1,28 @@
+class S3Secure::Lifecycle
+  class Remove < Base
+    RULE_ID = Base::RULE_ID
+    def run
+      show = Show.new(@options)
+      unless show.has?(RULE_ID)
+        say "Bucket #{@bucket} already does not have the #{RULE_ID} lifecycle rule."
+        return
+      end
+      builder = Builder.new(show.get_lifecycle_rules(@bucket))
+      rules = builder.rules_with_removal
+      if rules.empty?
+        s3.delete_bucket_lifecycle(bucket: @bucket)
+      else
+        # update config with removal
+        s3.put_bucket_lifecycle_configuration(
+          bucket: @bucket, # required
+          # content_md5: "ContentMD5",
+          lifecycle_configuration: {rules: rules}
+        )
+      end
+      say "Removed the #{RULE_ID} lifecycle rule on bucket #{@bucket}"
+    end
+  end
+end

data/lib/s3_secure/lifecycle/show.rb ADDED

@@ -0,0 +1,40 @@
+class S3Secure::Lifecycle
+  class Show < Base
+    RULE_ID = Base::RULE_ID
+    def run
+      if any?
+        say "This S3 bucket has lifecycle rules"
+      else
+        say "This S3 bucket does not have lifecycle rules"
+      end
+      if any?
+        say "Bucket lifecycle details: "
+        pp get_lifecycle(@bucket).to_h
+      end
+    end
+    def any?
+      rules = get_lifecycle_rules(@bucket)
+      !!(rules && !rules.empty?)
+    end
+    def has?(rule_id)
+      rules = get_lifecycle_rules(@bucket)
+      rules && rules.detect { |rule| rule[:id] == rule_id }
+    end
+    def get_lifecycle(bucket)
+      s3.get_bucket_lifecycle_configuration(bucket: bucket) # resp
+    rescue Aws::S3::Errors::NoSuchLifecycleConfiguration
+    end
+    memoize :get_lifecycle
+    # Also used by add and remove
+    def get_lifecycle_rules(bucket)
+      resp = get_lifecycle(bucket)
+      resp.rules.map(&:to_h) if resp
+    end
+  end
+end

data/lib/s3_secure/policy.rb CHANGED

@@ -1,7 +1,11 @@
 module S3Secure
   class Policy < Command
+    class_option :quiet, type: :boolean
     desc "list", "List bucket policies"
     long_desc Help.text("policy/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :policy, type: :boolean, desc: "Filter for policy: all, true, false"
     def list
       List.new(options).run
     end

data/lib/s3_secure/policy/enforce.rb CHANGED

@@ -6,16 +6,13 @@ class S3Secure::Policy
     end
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = S3Secure::Policy::Show.new(@options)
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-      bucket_policy = list.get_policy(@bucket)
+      bucket_policy = show.policy
       document = Document.new(@bucket, bucket_policy)
       if document.has?(@sid)
-        puts "Bucket policy for #{@bucket} has ForceSSLOnlyAccess policy statement already:"
-        puts bucket_policy
+        say "Bucket policy for #{@bucket} has ForceSSLOnlyAccess policy statement already:"
+        say bucket_policy
       else
         # Set encryption rules
         # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_policy-instance_method
@@ -24,12 +21,11 @@ class S3Secure::Policy
         #    put_bucket_policy returns #<struct Aws::EmptyStructure>
         #
         policy_document = document.policy_document(@sid)
-        @s3.put_bucket_policy(
+        s3.put_bucket_policy(
           bucket: @bucket,
           policy: policy_document,
         )
-        puts "Add bucket policy to bucket #{@bucket}:"
-        puts policy_document
+        say "Add bucket policy to bucket #{@bucket}:"
       end
     end
   end

data/lib/s3_secure/policy/list.rb CHANGED

@@ -1,29 +1,25 @@
 class S3Secure::Policy
   class List < Base
     def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Policy?"]
       buckets.each do |bucket|
-        @s3 = s3_regional_client(bucket)
-        puts "Policy for bucket #{bucket.color(:green)}"
-        policy = get_policy(bucket)
+        $stderr.puts "Getting policy for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+        policy = show.policy
-        if policy
-          puts policy
+        row = [bucket, !!policy]
+        if @options[:policy].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:policy]
+          presenter.rows << row if policy # only show if bucket has a policy
         else
-          puts "Bucket does not have a bucket policy"
+          presenter.rows << row unless policy # only show if bucket doesnt have a policy
         end
       end
-    end
-    def get_policy(bucket)
-      resp = @s3.get_bucket_policy(bucket: bucket)
-      data = JSON.load(resp.policy.read) # String
-      JSON.pretty_generate(data)
-    rescue Aws::S3::Errors::NoSuchBucketPolicy
-    end
-    # Useful when calling List outside of the list CLI
-    def set_s3(client)
-      @s3 = client
+      presenter.show
     end
   end
 end

data/lib/s3_secure/policy/show.rb CHANGED

@@ -1,19 +1,20 @@
 class S3Secure::Policy
   class Show < Base
     def run
-      @s3 = s3_regional_client(@bucket)
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-      policy = list.get_policy(@bucket)
       if policy
-        puts "Bucket #{@bucket} is configured with this policy:"
-        puts policy
-        # puts policy.map(&:to_h)
+        say "Bucket #{@bucket} is configured with this policy:"
+        say policy
       else
-        puts "Bucket #{@bucket} is not configured bucket policy"
+        say "Bucket #{@bucket} is not configured bucket policy"
       end
     end
+    def policy
+      resp = s3.get_bucket_policy(bucket: @bucket)
+      data = JSON.load(resp.policy.read) # String
+      JSON.pretty_generate(data)
+    rescue Aws::S3::Errors::NoSuchBucketPolicy
+    end
+    memoize :policy
   end
 end

data/lib/s3_secure/policy/unforce.rb CHANGED

@@ -6,12 +6,9 @@ class S3Secure::Policy
     end
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = S3Secure::Policy::Show.new(@options)
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-      bucket_policy = list.get_policy(@bucket)
+      bucket_policy = show.policy
       document = Document.new(@bucket, bucket_policy, remove: true)
       if document.has?(@sid)
         # Set encryption rules
@@ -23,18 +20,18 @@ class S3Secure::Policy
         policy_document = document.policy_document(@sid)
         if policy_document
-          @s3.put_bucket_policy(
+          s3.put_bucket_policy(
             bucket: @bucket,
             policy: policy_document,
           )
         else
-          @s3.delete_bucket_policy(bucket: @bucket)
+          s3.delete_bucket_policy(bucket: @bucket)
         end
-        puts "Remove bucket policy to bucket #{@bucket}:"
-        puts policy_document if policy_document
+        say "Remove bucket policy statement from bucket #{@bucket}:"
+        say policy_document if policy_document
       else
-        puts "Bucket policy for #{@bucket} does not have ForceSSLOnlyAccess policy statement. Nothing to be done."
+        say "Bucket policy for #{@bucket} does not have ForceSSLOnlyAccess policy statement. Nothing to be done."
       end
     end
   end

data/lib/s3_secure/remediate_all.rb ADDED

@@ -0,0 +1,12 @@
+module S3Secure
+  class RemediateAll < AbstractBase
+    def run
+      o = @options.merge(bucket: @bucket)
+      Encryption::Enable.new(o).run
+      Policy::Enforce.new(o.merge(sid: "ForceSSLOnlyAccess")).run
+      Versioning::Enable.new(o).run
+      Lifecycle::Add.new(o).run
+      AccessLogs::Enable.new(o).run
+    end
+  end
+end

data/lib/s3_secure/say.rb ADDED

@@ -0,0 +1,7 @@
+module S3Secure
+  module Say
+    def say(msg)
+      puts msg unless @options[:quiet]
+    end
+  end
+end

data/lib/s3_secure/summary.rb ADDED

@@ -0,0 +1,13 @@
+module S3Secure
+  class Summary < AbstractBase
+    def run
+      $stderr.puts("Determining bucket security-related settings. Can take a while for lots of buckets...")
+      data = [%w[Bucket SSL? Encrypted?]]
+      items = Items.new(@options, buckets)
+      items.filtered_items.each do |i|
+        data << [i.bucket, i.ssl, i.encrypted]
+      end
+      S3Secure::Table.new(@options, data).display
+    end
+  end
+end

data/lib/s3_secure/summary/item.rb ADDED

@@ -0,0 +1,16 @@
+class S3Secure::Summary
+  class Item
+    attr_reader :bucket
+    def initialize(bucket, properties={})
+      @bucket, @properties = bucket, properties
+    end
+    def method_missing(name, *args, &block)
+      if @properties.key?(name)
+        @properties[name]
+      else
+        super
+      end
+    end
+  end
+end

data/lib/s3_secure/summary/items.rb ADDED

@@ -0,0 +1,65 @@
+class S3Secure::Summary
+  class Items < S3Secure::AbstractBase
+    extend Memoist
+    # override initialize
+    def initialize(options, buckets)
+      @options, @buckets = options, buckets
+      @ssl, @encrypted = @options[:ssl], @options[:encrypted]
+    end
+    def filtered_items
+      items = all_items.select do |item|
+        case @ssl
+        when "yes", "no"
+          @ssl == item.ssl
+        else # any or fallback
+          true
+        end
+      end
+      items.select do |item|
+        case @encrypted
+        when "yes", "no"
+          @encrypted == item.encrypted
+        else # any or fallback
+          true
+        end
+      end
+    end
+    # Triggers loading of items
+    def all_items
+      load_items!
+    end
+    def load_items!
+      @buckets.map do |bucket|
+        Item.new(bucket,
+                 ssl: ssl?(bucket) ? "yes" : "no",
+                 encrypted: encrypted?(bucket) ? "yes" : "no")
+      end
+    end
+    memoize :load_items!
+  private
+    def ssl?(bucket)
+      list = S3Secure::Policy::List.new(@options)
+      bucket_policy = list.get_policy(bucket)
+      document = S3Secure::Policy::Document.new(bucket, bucket_policy)
+      document.has?("ForceSSLOnlyAccess")
+    end
+    memoize :ssl?
+    def encrypted?(bucket)
+      s3 = s3_regional_client(bucket)
+      list = S3Secure::Encryption::List.new(@options)
+      list.set_s3(s3)
+      rules = list.get_encryption_rules(bucket)
+      !!rules
+    end
+    memoize :encrypted?
+  end
+end

data/lib/s3_secure/table.rb ADDED

@@ -0,0 +1,18 @@
+require "text-table"
+module S3Secure
+  class Table
+    attr_reader :data
+    def initialize(options, data)
+      @options = options
+      @data = data
+    end
+    def display
+      table = Text::Table.new
+      table.head = data.shift
+      table.rows = data
+      puts table
+    end
+  end
+end

data/lib/s3_secure/version.rb CHANGED

@@ -1,3 +1,3 @@
 module S3Secure
-  VERSION = "0.3.0"
+  VERSION = "0.5.1"
 end

data/lib/s3_secure/versioning.rb ADDED

@@ -0,0 +1,31 @@
+module S3Secure
+  class Versioning < Command
+    class_option :quiet, type: :boolean
+    desc "list", "List bucket versionings"
+    long_desc Help.text("versioning/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :versioning, desc: "Filter for versioning: all, true, false"
+    def list
+      List.new(options).run
+    end
+    desc "show BUCKET", "show bucket versioning"
+    long_desc Help.text("versioning/show")
+    def show(bucket)
+      Show.new(options.merge(bucket: bucket)).run
+    end
+    desc "enable BUCKET", "enable bucket versioning"
+    long_desc Help.text("versioning/enable")
+    def enable(bucket)
+      Enable.new(options.merge(bucket: bucket)).run
+    end
+    desc "disable BUCKET", "disable bucket versioning"
+    long_desc Help.text("versioning/disable")
+    def disable(bucket)
+      Disable.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/versioning/base.rb ADDED

@@ -0,0 +1,4 @@
+class S3Secure::Versioning
+  class Base < S3Secure::AbstractBase
+  end
+end

data/lib/s3_secure/versioning/disable.rb ADDED

@@ -0,0 +1,19 @@
+class S3Secure::Versioning
+  class Disable < Base
+    def run
+      show = Show.new(@options)
+      if show.enabled?
+        s3.put_bucket_versioning(
+          bucket: @bucket,
+          versioning_configuration: {
+            # mfa_delete: "Disabled",
+            status: "Suspended",
+          },
+        )
+        say "Versioning Suspended on bucket #{@bucket}"
+      else
+        say "Bucket #{@bucket} is already has versioning already Suspended or not Enabled."
+      end
+    end
+  end
+end

data/lib/s3_secure/versioning/enable.rb ADDED

@@ -0,0 +1,19 @@
+class S3Secure::Versioning
+  class Enable < Base
+    def run
+      show = Show.new(@options)
+      if show.enabled?
+        say "Bucket #{@bucket} is has versioning already enabled."
+      else
+        s3.put_bucket_versioning(
+          bucket: @bucket,
+          versioning_configuration: {
+            # mfa_delete: "Disabled",
+            status: "Enabled",
+          },
+        )
+        say "Versioning enabled on bucket #{@bucket}"
+      end
+    end
+  end
+end